b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                         FOLLOW-UP REVIEW\n                              OF\n                        NCUA ENCRYPTION\n                Report #OIG-07-11     November 15, 2007\n\n\n\n\n                          William A. DeSarno\n                           Inspector General\n\n\n\n Released by:                          Auditor-in-Charge:\n\n\n\n\n James Hagen                           W. Marvin Stith, CISA\n Asst IG for Audits                    Sr Information Technology Auditor\n\x0c                             TABLE OF CONTENTS\n\n\n\n\nSection                                                                               Page\n\n           EXECUTIVE SUMMARY                                                            1\n\n           BACKGROUND                                                                   2\n\n           OBJECTIVE                                                                    3\n\n           SCOPE & METHODOLOGY                                                          3\n\n           RESULTS                                                                      4\n\n   A         Sensitive credit union data is unprotected on some examiners\' computer     4\n             equipment.\n\n   B         Sensitive credit union data is exposed on the NCUA\xe2\x80\x99s intranet              7\n\n   C         Other Audit Matters \xe2\x80\x93 Encryption Technology                                8\n\nAppendix     NCUA Management Comments\n\x0c                                  EXECUTIVE SUMMARY\nThe National Credit Union Administration (NCUA) Office of Inspector General\n(OIG) performed an audit to determine if NCUA is adequately protecting sensitive\nelectronic data. To determine whether the NCUA adequately protects sensitive\nelectronic data, we interviewed a judgmental sample of examiners and reviewed\nthe examiners\xe2\x80\x99 computer equipment 1 . We also interviewed the Chief Information\nOfficer and reviewed policies and procedures related to protecting sensitive data.\n\nWe determined that the NCUA is adequately protecting sensitive electronic data.\nThe examiners were primarily saving exam-related files to their encrypted \xe2\x80\x98My\nDocuments\xe2\x80\x99 folder as advised by the OCIO. In addition, we did not identify any\nunencrypted exam files on the NCUA-issued external hard drives. However, we\ndetermined the NCUA could make improvements to better protect this data.\nSpecifically, while 94 percent of the exam files we identified on the laptops we\nreviewed were encrypted, some examiners had potentially sensitive unencrypted\ncredit union data on their computer equipment. In addition, there was unrestricted\naccess to sensitive credit union data on the NCUA intranet. We also learned that\nwhile the encryption technology the NCUA used adequately protected sensitive data\nif used as guided, the NCUA OCIO was planning to implement a strategy to better\nprotect electronic PII and other sensitive data.\n\nOur report includes five recommendations to NCUA to improve the security, access\nand storage of sensitive credit union data. Management agreed with all five\nrecommendations and has started corrective action.\n\n\n\n\n1\n Computer equipment includes NCUA-issued laptops, external hard drives, and USB flash drives, and unencrypted\nmedia such as USB flash drives and CDs.\n\n\n                                                     1\n\x0cBACKGROUND:\nIn today\xe2\x80\x99s computing environment, there are many threats to the confidentiality of\ninformation stored on end user devices, which could cause information stored on\nthe devices to be accessed by unauthorized parties. Some threats are\nunintentional, such as human error, while others are intentional. These threats\nare posed by people with many different motivations, including causing mischief\nand disruption and committing identity theft and other fraud. One common threat\nagainst end user devices is loss or theft. Someone with physical access to a\ndevice has many options for attempting to view the information stored on the\ndevice. This is also a concern for insider attacks. To prevent disclosures of PII\nand other sensitive data, the information needs to be secured.\n\nFollowing numerous incidents at various Federal agencies involving the\ncompromise or loss of sensitive personal information, OMB issued memorandum\nM-06-16 on June 23, 2006. The memorandum required agencies to take specific\nactions to protect PII and sensitive information as outlined in NIST Special\nPublication (SP) 800-53 and 800-53A. In addition, OMB recommended that\nagencies take additional actions to protect sensitive agency information. OMB\nrequested that agencies ensure that the safeguards outlined in M-06-16 be\nreviewed and in place within 45 days from the issuance of the memorandum\n(August 7, 2006). Inspectors General were also requested to conduct\na subsequent review to assess their respective agency\xe2\x80\x99s compliance. The OIG\nissued a report in February 2007 (OIG-07-01) and determined the NCUA needed\nto improve protections for PII transported or stored offsite. During this Privacy review\nwe addressed PII or sensitive data we identified during the FY 2006 FISMA audit that\nwere not encrypted prior to being removed from agency premises.\n\nBefore we completed the Privacy review, the NCUA had started to implement some\nencryption capabilities. The CIO sent several emails to users providing instructions\non encryption. In addition, the OCIO began to distribute an encryption process that\napplied encryption to select folders and files located on agency laptops. Once the\nuser initiated the encryption routine sent by the OCIO, the encryption would occur\nautomatically in the background on a daily basis. When you place or create files or\nfolders in encrypted folders, they are automatically encrypted. If you move a file or\nfolder from an encrypted location to a non-encrypted location, the encryption will\nautomatically be removed from the file or folder. In addition, if you move an\nencrypted file or folder to a CD or DVD, the encryption will automatically be removed.\nDuring our review, the OCIO also emailed instructions for encrypting the external\nhard drive. Subsequent to the Privacy review, the OCIO implemented a technical\nsolution that verified if certain folders or documents were encrypted. This solution\nforced the encryption on users that did not initiate the routine sent previously. If the\nroutine identified unencrypted documents, it automatically encrypted the files without\nuser intervention.\n\n\n\n\n                                           2\n\x0cOBJECTIVE:\n\nThe objective of this review was to determine if NCUA is adequately protecting\nsensitive electronic data.\n\nSCOPE & METHODOLOGY:\n\nTo determine whether the NCUA adequately protected sensitive electronic data,\nwe interviewed a judgmental sample of examiners and reviewed the examiners\xe2\x80\x99\ncomputer equipment. We searched the examiners\xe2\x80\x99 computer equipment using\nthe following criteria to identify exam-related files:\n\n*exam*.* - to identify exam files that contained \xe2\x80\x98exam\xe2\x80\x99 in the document title\n   \xe2\x80\xa2 *share*.* - to identify exam files that contained \xe2\x80\x98share\xe2\x80\x99 in the document title\n   \xe2\x80\xa2 *loan*.* - to identify exam files that contained \xe2\x80\x98loan\xe2\x80\x99 in the document title\n   \xe2\x80\xa2 *.nb7 - to identify backup files 2\n\nSome of the common exam files and some unique exam files we identified\ncontained sensitive credit union data. For example, we determined that one of\nthe common exam files entitled \xe2\x80\x98Query Report Shares Greater Than\n$100,000.doc\xe2\x80\x99 contained credit union member names and account numbers.\nHowever, we did not view the contents of this file type each time we found it\nunencrypted on an examiner\xe2\x80\x99s computer equipment. Instead, we assumed that\nexam files with the same common filenames potentially contained the same type\nof sensitive data. On the other hand, we did view the contents of the other\nunencrypted unique files we identified to determine that they contained sensitive\ndata. We also interviewed the Chief Information Officer and reviewed policies\nand procedures related to protecting sensitive data.\n\nWe conducted our fieldwork from April 2007 through November 2007 and\nperformed this review in accordance with Generally Accepted Government Auditing\nStandards.\n\n\n\n\n2\n  Backup files with this extension were created by the NovaStor NovaBACKUP software, which the NCUA used\npreviously for backups. The NCUA uses a new procedure and software that restricts backups to the NCUA-issued\nencrypted external hard drives.\n\n\n                                                     3\n\x0cRESULTS:\n\nA. Sensitive credit union data is unprotected on some examiners\' computer\n   equipment.\n\nExaminers are primarily encrypting exam-related files; however, we identified\nunencrypted exam files on some of the examiners\xe2\x80\x99 laptops, NCUA-issued USB flash\ndrives, and unencrypted USB flash drives. Some of these files potentially contained\nsensitive credit union data such as credit union member names and account\nnumbers; CAMEL ratings; and credit union operating exceptions, violations of law or\nregulation, or unsound policies, practices or procedures. Following are the results of\nour review of the examiners\xe2\x80\x99 computer equipment:\n\n    \xe2\x80\xa2    Nine of the fifteen examiners we interviewed had a total of 214 unencrypted\n         exam files located on their C: drive. We determined that (107) of these\n         unencrypted files potentially contained sensitive data. We were able to\n         determine that 64 of these sensitive files3 were located either in the Desktop\n         folder, Desktop\\OldDesktop folder or a Desktop\\%Other folder%\\4 . In\n         addition, were able to determine the dates of the 107 sensitive files as follows:\n\n\n\n                                 2005 and            Jan 1, 2006 \xe2\x80\x93         Sep 1, 2006 \xe2\x80\x93\n                   Dates                                                                        2007         Total\n                                 Earlier             Aug 31, 20065         Dec 31, 2006\n                     Files              47                  16                    10                34        107\n\n                                       Table A. Dates of Potentially Sensitive Exam Files\n\n              o Between October and November 2005 the OCIO created an\n                OldDesktop sub folder within the laptops\xe2\x80\x99 Desktop folder to store files\n                that existed on users\xe2\x80\x99 desktops prior to the NCUA\xe2\x80\x99s transition to a new\n                operating system. In February 2006 the NCUA OCIO advised field\n                staff to delete old exam files before the agency-wide conversion to new\n                laptops. Some examiners may have forgotten about the exam files\n                placed in their OldDesktop folders in 2005.\n\n              o The NCUA OCIO 2006 IT policy (2006 Hi-Tech Manual) provided\n                users guidance on encrypting folders; however, it did not mandate that\n                users encrypt folders or advise which folders to encrypt. In addition,\n                when the OCIO implemented its new encryption procedures in August\n                2006, it did not advise field staff to delete old exam files or move exam\n                files still needed to the encrypted folders. This lack of guidance may\n\n\n3\n  We were unable to identify the locations of the other 43 files containing sensitive information.\n4\n  %OtherFolder% substitutes for the name of any subfolder of the Desktop folder other than the OldDesktop folder.\n5\n  The NCUA OCIO forced the encryption policy effective September 1, 2006.\n\n\n                                                        4\n\x0c                    have contributed to why some exam files existed in other unencrypted\n                    folders on examiners\xe2\x80\x99 laptops.\n\n               o The NCUA OCIO 2007 IT policy (2007 Hi-Tech Manual) advised that\n                 all work-related files be put into the encrypted \'My Documents\' folder6\n                 and that no confidential information should be saved on the desktop. A\n                 few examiners admitted they saved exam files to the desktop, but also\n                 said they later deleted them. Regardless, some examiners did not\n                 follow NCUA policy.\n\n     \xe2\x80\xa2    We identified 51 unencrypted files on three NCUA-issued USB flash drives.7\n          More than half of these files potentially contained sensitive credit union data.\n          In addition, three examiners said they used unencrypted USB flash drives to\n          save exam files. However, we did not identify any remaining unencrypted\n          files on these drives. The NCUA previously authorized examiners to\n          purchase other computer media such as USB drives and CDs. The NCUA\n          did not have a formal policy requiring examiners to use the NCUA-issued\n          USB flash drive.8 However, in August 2006, the OCIO instructed examiners\n          to use the NCUA-issued USB flash drives for sensitive data.9 Some\n          examiners did not follow OCIO guidance.\n\n     \xe2\x80\xa2    We reviewed external hard drives that examiners used for backing up files on\n          their laptops. All the files on the external hard drives were encrypted.\n          However, six of the 15 examiners had old unencrypted backup files10 on their\n          laptops and a CD. The NCUA OCIO 2006 IT policy provided instructions to\n          examiners to backup files weekly to their external hard drives using NovaStor\n          NovaBACKUP software. The NCUA used the NovaBACKUP software prior\n          to when the NCUA implemented its new encryption policies and procedures.\n          Therefore, these backup files may have contained unencrypted exam files. In\n          addition, the 2006 IT policy indicated examiners could use other computer\n          media such as CDs for more frequent backups. However, in August 2006 the\n          OCIO provided instructions to examiners to limit the use of CDs and\n          requested examiners take their CDs to the regional conference to be\n          destroyed.11 Some examiners did not follow the OCIO\xe2\x80\x99s guidance on backing\n          up files to external hard drives and other computer media or for destroying\n          CDs.\n\n6\n  The \xe2\x80\x98My Documents\xe2\x80\x99 folder is located on the D: drive.\n7\n  The OCIO distributed USB flash drives with an encryption capability to examiners beginning during the NCUA\nregional conference in August 2006. The USB flash drive\xe2\x80\x99s encryption capability is not automatic. It requires the\nuser to login to the feature in order to place files in the encrypted portion of the drive; otherwise, any files a user\nplaces on the drive are unencrypted.\n8\n  In the OIG report, Review of NCUA\xe2\x80\x99s Compliance with OMB M-06-16 Protection of Sensitive Agency\nInformation (Report #OIG-07-01) dated February 7, 2007, the OCIO agreed to develop a policy that\naddresses information protection needs for PII accessed, transported, or stored remotely.\n9\n  The NCUA is developing an agency instruction that requires examiners to use computer equipment that is\nencryption-capable with the encryption function enabled.\n10\n   These were the backup files with the .nb7 extension created using the NovaStor NovaBACKUP software.\n11\n   The NCUA is developing a policy that does not allow the use of unencrypted computer equipment.\n\n\n                                                            5\n\x0c   \xe2\x80\xa2   We identified two NCUA-issued USB flash drives on which the encryption\n       login feature did not function. One of these drives contained unencrypted files\n       as discussed above. We previously reported these drives were not\n       NIST-validated and therefore were not approved for use by NIST. The OCIO\n       agreed to purchase new drives if possible and planned to distribute\n       NIST-validated drives in January 2008.\n\nIf examiners\' laptops or other media are lost or stolen, sensitive credit union data\ncould be exposed to unauthorized third parties potentially resulting in the theft of\ncredit union members\' identities, causing embarrassment to the NCUA and exposing\nthe agency to potential liabilities and potentially exposing the NCUA to liabilities.\n\nRecommendations #1: NCUA OCIO should reiterate to examiners\nthe requirement to save all exam-related files only to the encrypted \xe2\x80\x98My\nDocuments\xe2\x80\x99 folder and to use only NCUA-issued USB flash drives for exams or\ninterim backups.\n\nManagement Response: Agreed. CIO Verner will issue this reminder to all field\nstaff.\n\nOIG Response: We agree with proposed action.\n\nRecommendations #2: NCUA OCIO should require examiners to delete\nunencrypted exam files that are not needed and to delete old backup files from their\ncomputer equipment or if needed, to move the files to the encrypted "My Documents"\nfolder.\n\nManagement Response: Agreed. CIO Verner will include this in his reminder\nmessage to staff.\n\nOIG Response: We agree with proposed action.\n\nRecommendations #3: NCUA OCIO should assist examiners in locating\nunencrypted exam and backup files and require the examiners to move or delete\nthese files.\n\nManagement Response: Agreed. CIO Verner will include this in his reminder\nmessage to staff.\n\nOIG Response: We agree with proposed action.\n\nRecommendations #4: Until the NCUA OCIO is able to issue NIST-validated USB\nflash drives, OCIO should investigate and resolve problems with the operation of the\nencryption software on the current NCUA-issued drives.\n\n\n\n\n                                          6\n\x0cManagement Response: Agreed. CIO Verner will include this in his reminder\nmessage to staff.\n\nOIG Response: We agree with proposed action.\n\n\nB. Sensitive credit union data is exposed on the NCUA\xe2\x80\x99s intranet\n\nThe NCUA maintains a link to credit union exam data (AIRES Downloads) on its\nintranet. Exam data is available for credit unions in all five NCUA regions. The\nAIRES Downloads repository contains the same type of files examiners maintain on\ntheir laptops and contains files at least as far back as 2000. Therefore, these files\nalso potentially contained sensitive credit union data such as credit union member\nnames and account numbers; CAMEL ratings; and credit union operating exceptions,\nviolations of law or regulation, or unsound policies, practices or procedures. For\nexample, a file we downloaded for one credit union contained a subset of the credit\nunion\xe2\x80\x99s member names, social security numbers and credit card numbers. There are\nno restrictions to limit or control access to this data. Consequently, anyone with\naccess to the NCUA intranet can access this data regardless of whether exam data\nis within the scope of their responsibilities. For example, any examiner from any\nregion could access exam data for any credit union within their region or any other\nregion. Also, an NCUA employee who works in a non-exam area could access\nexam data for credit unions in any of the five regions. These users would be able to\nview and save sensitive credit union data.\n\nOMB A-130, Appendix III indicates that the greatest harm to a system has come from\nauthorized individuals engaged in improper activities, whether intentional or\naccidental. In addition, OMB Memorandum 07-16 indicates that limiting access to PII\nto only those individuals who must have such access may be one way to greatly\nreduce the risks related to a data breach of PII. The Privacy Act of 1974 requires\nagencies to establish appropriate administrative, technical, and physical safeguards\nto insure the security and confidentiality of records and to protect against any\nanticipated threats or hazards to their security or integrity which could result in\nsubstantial harm, embarrassment, inconvenience or unfairness to any individual on\nwhom information is maintained.\n\nUncontrolled access to the AIRES exam data by NCUA users without a\nneed-to-know could result in the misuse of sensitive credit union data, the theft of\ncredit union members\' identities, cause embarrassment to the NCUA and expose the\nagency to potential liabilities.\n\n\n\n\n                                         7\n\x0cRecommendation #5: NCUA OCIO should implement technical access controls\nto AIRES exam data on the NCUA intranet.\n\nManagement Response: Agreed. OCIO will work with E&I to establish and\nimplement both procedural guidance and technical controls that improve the security\nof data located on the NCUA Intranet site. Options we are exploring include:\n\n     \xe2\x80\xa2   Migrating sensitive data to from the intranet to SharePoint where permissions\n         for accessing the information is more easily defined;\n     \xe2\x80\xa2   Developing a log to identify users who download sensitive data from the\n         intranet; and/or,\n     \xe2\x80\xa2   Archiving additional sensitive data so it is not as accessible as the current\n         location.\n\nOIG Response: We agree with proposed action.\n\n\nOther Audit Matters \xe2\x80\x93 Encryption Technology\n\nThe NCUA implemented an adequate encryption technology to protect sensitive\ncredit union data. However, as discussed above, some sensitive exam data is still\nexposed on NCUA computer equipment.\n\nNIST Draft SP 800-111 indicates there are many technologies available for\nencrypting data stored on end user devices. Encryption can be applied to\nindividual files containing sensitive information, or broadly, such as encrypting all\nstorage. Three of the most commonly used technologies are full disk encryption,\nvirtual disk encryption and volume encryption, and file/folder encryption:\n\n     1. Full disk encryption (FDE) is the process of encrypting all the data on the hard\n        drive used to boot a computer, including the computer\xe2\x80\x99s operating system\n        (OS), and permitting access to the data only after successful authentication to\n        the FDE product. For a computer that is not booted, all the information\n        encrypted by FDE is protected, assuming that pre-boot authentication is\n        required.\n\n     2. Virtual disk12 encryption is the process of encrypting a container, which can\n        hold many files and folders, and permitting access to the data within the\n        container only after proper authentication. Volume13 encryption is the process\n\n\n12\n   A virtual disk is a program that simulates a hard disk drive, using part of the computer\'s random access memory.\nFiles can be copied into the virtual disk and edited. The virtual disk cannot store files permanently; the updates must\nbe written to the hard disk or floppy disk before the power is turned off.\n13\n   A volume is a fixed amount of storage on a disk or tape. The term volume is often used as a synonym for the\nstorage medium itself, but it is possible for a single disk to contain more than one volume or for a volume to span\nmore than one disk.\n\n\n                                                          8\n\x0c            of encrypting an entire volume and permitting access to the data on the\n            volume only after proper authentication.\n\n       3. File encryption is the process of encrypting individual files on a storage\n          medium and permitting access to the encrypted data only after proper\n          authentication. Folder encryption is very similar to file encryption, only it\n          addresses individual folders instead of files.\n\nThe NCUA uses file encryption technology, specifically Windows Encrypting File\nSystem (EFS) 14 . This encryption is selective and encrypts files automatically,\nbased on defined attributes like file location (e.g., folder), file type (e.g.,\nspreadsheets) or source application (e.g., all Excel files). The NCUA provides\nencryptions of files based on their location in folders the OCIO specified. EFS\nrelies on sensitive data being written into these protected locations and cannot\nstop users from copying encrypted files to unencrypted locations, which is what\nhas occurred within the NCUA.\n\nThe CIO informed us the OCIO plans to implement a new strategy for encryption,\ndata security and PII that includes:\n\n            \xe2\x80\xa2    NIST-approved USB flash drives the OCIO plans to issue in January 2008\n            \xe2\x80\xa2    Email encryption\n            \xe2\x80\xa2    Full disk encryption\n            \xe2\x80\xa2    A new software product to encrypt removable media\n            \xe2\x80\xa2    Software to protect file permissions (e.g., encryption) as the data moves\n                 from one place to the next.\n\nWe believe the CIO\xe2\x80\x99s strategy will result in improved encryption and data security that\nwill better protect the NCUA\xe2\x80\x99s PII and other sensitive data. We will follow the OCIO\xe2\x80\x99s\nefforts to improve the protection of the agency\xe2\x80\x99s PII and sensitive data.\n\n\n\n\n14\n     Windows EFS is Microsoft\'s basic file/folder encryption tool.\n\n\n                                                             9\n\x0c                                                                                  APPENDIX\n                            NCUA MANAGEMENT COMMENTS\n\n                                                                       OCIO/D2V/NRM:nrm\n\nTo:              Inspector General Bill DeSarno\n\nFrom:            Executive Director J. Leonard Skiles /S/\n\nSubject:         Comments on OIG Review of NCUA Encryption\n\nDate:            November 13, 2007\n\n\nWe have reviewed your draft report on data encryption and found it to be very\nthorough and informative. We agree with your findings. OCIO and E&I will work\ntogether to implement them.\n\nThe first four recommendations pertain to sensitive credit union data found on\nexaminers\xe2\x80\x99 hard drives:\n\n      1. NCUA OCIO should reiterate to examiners the requirement to save all exam-related\n         files only to the encrypted \xe2\x80\x98My Documents\xe2\x80\x99 folder and to use only NCUA-issued USB\n         flash drives for exams or interim backups.\n\n         Management Response: Agreed. CIO Verner will issue this reminder to all field\n         staff.\n\n      2. NCUA OCIO should require examiners to delete unencrypted exam files that are not\n         needed and to delete old backup files from their computer equipment or if needed, to\n         move the files to the encrypted "My Documents" folder.\n\n         Management Response: Agreed. CIO Verner will include this in his reminder\n         message to staff.\n\n      3. NCUA OCIO should assist examiners in locating unencrypted exam and backup files\n         and require the examiners to move or delete these files.\n\n         Management Response: Agreed. CIO Verner will include this in his reminder\n         message to staff.\n\n      4. Until the NCUA OCIO is able to issue NIST-validated USB flash drives, OCIO\n         should investigate and resolve problems with the operation of the encryption software\n         on the current NCUA-issued drives.\n\n         Management Response: Agreed. CIO Verner will include this in his reminder\n         message to staff.\n\n\n\n\n                                               1\n\x0c                                                                                      APPENDIX\n                             NCUA MANAGEMENT COMMENTS\n\nThe final recommendation pertains to sensitive credit union data accessed via\nthe NCUA Intranet:\n\n      \xe2\x80\xa2   NCUA OCIO should implement technical access controls to AIRES exam data on the\n          NCUA intranet.\n\n          Management Response: Agreed. OCIO will work with E&I to establish and\n          implement both procedural guidance and technical controls that improve the security\n          of data located on the NCUA Intranet site. Options we are exploring include:\n\n          \xe2\x80\xa2 Migrating sensitive data to from the intranet to SharePoint where permissions for\n          accessing the information is more easily defined;\n\n          \xe2\x80\xa2 Developing a log to identify users who download sensitive data from the intranet;\n          and/or,\n\n          \xe2\x80\xa2 Archiving additional sensitive data so it is not as accessible as the current location.\n\nThank you for giving us the opportunity to review the draft report. If you have any questions\nabout our response, please feel free to call Doug Verner.\n\ncc:       Director David Marquis\n          Director Doug Verner\n          Assistant IG Jim Hagen\n          Acting-DED Dave Hibshman\n\n\n\n\n                                                  2\n\x0c'